Built an API Fraud Detector After Getting Scammed — Here's How It Works

ti pi — Wed, 20 May 2026 03:08:22 +0000

Last month, I paid for GPT-4 API access through a relay provider and got GPT-3.5 instead. The relay was charging premium prices while downgrading models. Token counts were inflated by 30-50%. And there was a hidden system prompt injected into every request.

I got scammed. So I built API DNA — a free tool that detects API fraud in seconds.

The Problem: API Relays Are a Wild West

The AI API market has exploded with relay/proxy providers. Some are legitimate businesses. Others are not:

• Model substitution: Selling GPT-4, serving GPT-3.5-turbo
• Token inflation: Charging for 1000 tokens when only 600 were used
• Hidden prompt injection: Secretly injecting system prompts that consume your token budget
• Identity fraud: Claiming to be an official endpoint while routing through cheap proxies

How API DNA Works

Quick Scan (3 seconds, no API key needed)

Enter any API endpoint and get instant results:

Architecture Detection — Is it official, a legitimate relay, or an unknown proxy? We check IP/ASN records, response headers, server signatures, and error format fingerprints.
Model Listing — We probe /v1/models and variant endpoints to see what models are actually available.
Security Headers — CORS, HSTS, CSP analysis.
Price Audit — Compare the endpoint's pricing against official rates.

Deep Scan (30 seconds, requires API key)

The full DNA test with your own credentials:

Behavioral Fingerprinting — We send carefully crafted prompts that elicit unique behavioral signatures from different model families. GPT-4o responds differently from GPT-3.5, which responds differently from Claude, which responds differently from DeepSeek. These differences are structural, not just stylistic — they persist even when the model is told to impersonate another.
Rare Token Probing — Each tokenizer has unique rare tokens. By probing with multilingual, mathematical, and Unicode-heavy inputs, we can identify the underlying tokenizer family, which reveals the true model.
Token Audit — We compare the token counts reported by the API against our own independent estimation. A discrepancy means someone is inflating your bill.
Speed Analysis — TTFT (Time to First Token), tokens per second, and chunk variance. Each model family has characteristic speed profiles.
Security Audit — We test for hidden system prompt injection, context leakage between requests, tool call tampering, and identity consistency across probes.
Trust Score — All checks are aggregated into a L0-L7 trust level with a detailed breakdown.

Real Findings

In testing, we've found:

• A "GPT-4" relay actually serving GPT-3.5-turbo (detected via behavioral fingerprinting)
• Token inflation of 2-3x on popular relay services
• Hidden system prompts consuming 50-200 tokens per request
• Endpoints claiming official status but routing through 3rd-party proxies

Try It Yourself

API DNA is free to use, no signup required.

• Quick Scan: Enter any API endpoint, get results in 3 seconds
• Deep Scan: Provide your API key for full analysis in 30 seconds

Every scan generates a shareable report with a unique URL and downloadable PNG image.

What's Next

• Provider registry with verified endpoints
• API for programmatic scanning
• Continuous monitoring alerts
• Browser extension for real-time verification

If you've ever used an API relay and wondered "am I getting what I paid for?", give it a try. I'd love to hear what you find.

DEV Community: ti pi

Built an API Fraud Detector After Getting Scammed — Here's How It Works